# Responsible Disclosure Policy

Thank you for reading. This repository contains research notes and *sanitized* proof-of-concepts only.
It intentionally does NOT contain weaponized exploit code, credentials, or raw user data.

## What this repo contains
- Research notes, sanitized PoCs (pseudocode), testing methodology, and defensive writeups.
- No production device credentials, no unredacted PII, and no exploit binaries that enable immediate abuse.

## If you believe you've found a security issue
1. **Do not** publish the vulnerability publicly. Contact repository owner privately:
   - GitHub username: `zshcatsandevops`
   - Email: `contacthaltmannworks@gmail.com` (replace with a contact address)
2. Provide: product name/version, vulnerability summary, reproduction steps (sanitized), and impact estimate. Do not include PII or stolen data.
3. I will acknowledge receipt within **7 calendar days**, and we will coordinate remediation and disclosure timing.
4. If you prefer, you can send reports to a third party such as JPCERT/IPA or a vendor bug-bounty program.

## What I will not publish
- Exploit code that enables immediate, unauthorised compromise.
- Unredacted personal data, credentials, or anything that facilitates abuse.

## Legal / ethical note
This is research-only material. If you are unsure whether your actions are authorised, do not attempt exploitation on systems you do not own or have explicit permission to test.

## Licensing
This repository is distributed under GPL-3.0 (see LICENSE). This policy supplements the license and is intended to reduce harm and aid responsible disclosure.